CVE-2026-55435

MEDIUM

Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Title source: cna
STIX 2.1

Description

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.

References (7)

Core 7

Scores

CVSS v3 5.4
EPSS 0.0032
EPSS Percentile 23.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (7)
coder/coder 2.30.0 - 2.32.7Go
coder/coder 2.30.0 - 2.32.7
coder/coder 2.33.0 - 2.33.8Go
coder/coder 2.34.0 - 2.34.2Go
coder/coder >= 2.30.0, < 2.32.7
coder/coder >= 2.33.0, < 2.33.8
coder/coder >= 2.34.0, < 2.34.2
Published Jul 07, 2026
Tracked Since Jul 08, 2026